Bug 124611

Summary:

ARMv7: Crash due to use after free of AssemblerBuffer

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

buildbot, commit-queue, rniwa

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

Windows 2000

Attachments:

Description	Flags
Patch	buildbot: commit-queue-
Fixed inadvertent typo	none
Updated patch	ggaren: review+

Michael Saboff

Reported 2013-11-19 15:17:56 PST

One crash trace seen is: * thread #1: tid = 0x18ef, 0x0015ffe2 JavaScriptCore`JSC::ARMv7Assembler::executableOffsetFor(int) + 58, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x361672c) frame #0: 0x0015ffe2 JavaScriptCore`JSC::ARMv7Assembler::executableOffsetFor(int) + 58 frame #1: 0x0015ffa2 JavaScriptCore`JSC::MacroAssemblerARMv7::executableOffsetFor(int) + 18 frame #2: 0x0015ff80 JavaScriptCore`JSC::AssemblerLabel JSC::LinkBuffer::applyOffset<JSC::AssemblerLabel>(JSC::AssemblerLabel) + 20 frame #3: 0x0015eb94 JavaScriptCore`JSC::LinkBuffer::locationOf(JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::Label) + 32 frame #4: 0x0018e0ca JavaScriptCore`JSC::DFG::JITFinalizer::finalizeFunction() + 38 frame #5: 0x001c18ba JavaScriptCore`JSC::DFG::Plan::finalizeWithoutNotifyingCallback() + 62 frame #6: 0x00161504 JavaScriptCore`JSC::DFG::compileImpl(JSC::VM&, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>, JSC::DFG::Worklist*) + 932 frame #7: 0x00161116 JavaScriptCore`JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>, JSC::DFG::Worklist*) + 138 frame #8: 0x0027fdbc JavaScriptCore`operationOptimize + 1480 frame #9: 0x44230b79 The issue is that the ARMv7Assembler object is a local in Plan::compileInThreadImpl() and has been freed. ANother more obscure stack trace is: * thread #1: tid = 0x15f8, 0x00488726 JavaScriptCore`WTFCrash + 58 at Assertions.cpp:341, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x00488726 JavaScriptCore`WTFCrash + 58 at Assertions.cpp:341 frame #1: 0x000ce5e0 JavaScriptCore`WTF::CrashOnOverflow::overflowed() + 8 at CheckedArithmetic.h:80 frame #2: 0x000aa67e JavaScriptCore`WTF::Vector<WTF::Vector<JSC::DFG::OSRExit, 8ul, WTF::CrashOnOverflow>*, 0ul, WTF::CrashOnOverflow>::at(this=0x0125deb4, i=848195) + 54 at Vector.h:584 frame #3: 0x000aa642 JavaScriptCore`WTF::Vector<WTF::Vector<JSC::DFG::OSRExit, 8ul, WTF::CrashOnOverflow>*, 0ul, WTF::CrashOnOverflow>::operator[](this=0x0125deb4, i=848195) + 18 at Vector.h:604 frame #4: 0x000aa5ac JavaScriptCore`WTF::SegmentedVector<JSC::DFG::OSRExit, 8ul, 32ul>::segmentFor(this=0x0125deb0, index=6785564) + 28 at SegmentedVector.h:217 frame #5: 0x000aa574 JavaScriptCore`WTF::SegmentedVector<JSC::DFG::OSRExit, 8ul, 32ul>::at(this=0x0125deb0, index=6785564) + 20 at SegmentedVector.h:128 frame #6: 0x000aa18a JavaScriptCore`WTF::SegmentedVector<JSC::DFG::OSRExit, 8ul, 32ul>::operator[](this=0x0125deb0, index=6785564) + 18 at SegmentedVector.h:138 frame #7: 0x001ba486 JavaScriptCore`compileOSRExit(exec=0x02bff7d8) + 246 at DFGOSRExitCompiler.cpp:61 frame #8: 0x5dec2ca7 frame #9: 0x0034e900 JavaScriptCore`llint_op_call + 218 …

Attachments
Patch (2.92 KB, patch) 2013-11-19 15:24 PST, Michael Saboff	buildbot: commit-queue-	Details Formatted Diff Diff
Fixed inadvertent typo (2.50 KB, patch) 2013-11-19 15:29 PST, Michael Saboff	no flags	Details Formatted Diff Diff
Updated patch (3.91 KB, patch) 2013-11-19 19:55 PST, Michael Saboff	ggaren: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2013-11-19 15:18:10 PST

<rdar://problem/15452643>

Michael Saboff

Comment 2 2013-11-19 15:24:12 PST

Created attachment 217341 [details] Patch

WebKit Commit Bot

Comment 3 2013-11-19 15:26:16 PST

Attachment 217341 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/assembler/MacroAssembler.cpp', u'Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp', u'Source/JavaScriptCore/dfg/DFGJITFinalizer.h']" exit_code: 1 Source/JavaScriptCore/assembler/MacroAssembler.cpp:1: Missing spaces around / [whitespace/operators] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.

Build Bot

Comment 4 2013-11-19 15:26:21 PST

Comment on attachment 217341 [details] Patch Attachment 217341 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/28628031

Michael Saboff

Comment 5 2013-11-19 15:29:03 PST

Created attachment 217344 [details] Fixed inadvertent typo

Geoffrey Garen

Comment 6 2013-11-19 15:45:08 PST

Comment on attachment 217344 [details] Fixed inadvertent typo View in context: https://bugs.webkit.org/attachment.cgi?id=217344&action=review > Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp:44 > + if (m_arityCheck.isSet()) The old code didn't check m_arityCheck.isSet(). Why do we need to check it now? > Source/JavaScriptCore/dfg/DFGJITFinalizer.h:54 > MacroAssembler::Label m_arityCheck; > + MacroAssemblerCodePtr m_withArityCheck; It's not so great to have two data members with equivalent names, one of which works, and the other of which crashes your program. Can we remove the Label version of arityCheck? It appears to be used only in the JITFinalizer constructor function.

Geoffrey Garen

Comment 7 2013-11-19 15:47:38 PST

Comment on attachment 217344 [details] Fixed inadvertent typo View in context: https://bugs.webkit.org/attachment.cgi?id=217344&action=review > Source/JavaScriptCore/ChangeLog:9 > + Changed JITFinalizer constructor to calculate and save the with-arity-check entry point. > + At that point, the assembler object is still valid. In finalizeFunction(), we use that value Which assembler object are you talking about? Was it locationOf() that was using the invalid assembler? Is there a risk that finalizeCodeWithoutDisassembly() will use the invalid assembler?

Michael Saboff

Comment 8 2013-11-19 15:56:39 PST

(In reply to comment #7) > (From update of attachment 217344 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=217344&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + Changed JITFinalizer constructor to calculate and save the with-arity-check entry point. > > + At that point, the assembler object is still valid. In finalizeFunction(), we use that value > > Which assembler object are you talking about? Was it locationOf() that was using the invalid assembler? Is there a risk that finalizeCodeWithoutDisassembly() will use the invalid assembler? The assembler object is the MacroAssembler* m_assembler in LinkBuffer. Yes, it was LinkBuffer::locationOf() that was using the freed assembler. finalizeCodeWithoutDisassembly() is making the buffer ready for execution. It doesn't access the assembler. The only reason that locationOf() accesses the assembler is due to branch compaction. We store the delta in the assembler buffer as part of the compaction. I didn't find any other uses of m_assembler after the code has been linked.

Michael Saboff

Comment 9 2013-11-19 19:55:45 PST

Created attachment 217374 [details] Updated patch Changed the JITFinalizer() to take a resolved MacroAssemblerCodePtr instead of a MacroAssembler::Label.

Geoffrey Garen

Comment 10 2013-11-20 11:52:19 PST

Comment on attachment 217374 [details] Updated patch r=me It looks like, for the FTL JITFinalizer, we'll need to make a similar move away from Labels and toward post-relaxation pointers. Can you file a bug about that?

Michael Saboff

Comment 11 2013-11-20 13:12:59 PST

Committed r159577: <http://trac.webkit.org/changeset/159577>

Michael Saboff

Comment 12 2013-11-20 13:17:52 PST

(In reply to comment #10) > (From update of attachment 217374 [details]) > r=me > > It looks like, for the FTL JITFinalizer, we'll need to make a similar move away from Labels and toward post-relaxation pointers. Can you file a bug about that? Added https://bugs.webkit.org/show_bug.cgi?id=124674 - "FTLJITFinalizer shouldn't keep Labels to the contained generated code"

Note You need to log in before you can comment on or make changes to this bug.